System Architecture
Palyra is structured as a hub-and-spoke model centered around thepalyrad daemon. The daemon acts as the central gateway, managing sessions, enforcing security policies via the Cedar engine, and dispatching tasks to various executors.
Core Architecture Components
The following diagram illustrates the relationship between the primary code entities and their functional roles in the system: Diagram: Palyra System Topology Sources: crates/palyra-daemon/Cargo.toml#1-67, crates/palyra-daemon/src/bin/palyrad.rs#11-13Key Subsystems
1. The Gateway Daemon (palyrad)
The central process responsible for session lifecycle, transport handling (HTTP/gRPC/QUIC), and the core agent orchestration loop. It coordinates with the palyra-policy crate to ensure every tool invocation is authorized.
- Crate:
palyra-daemoncrates/palyra-daemon/Cargo.toml#2-2 - Entry Point:
src/bin/palyrad.rscrates/palyra-daemon/Cargo.toml#11-13
2. Tool Runtime & Sandboxing
Tools are executed in isolated environments to prevent unauthorized system access. This includes filesystem scoping, process limits, and browser automation via a dedicated gRPC service.- Crates:
palyra-sandbox,palyra-browserd,palyra-skillsCargo.toml#10-22
3. Security & Safety
Palyra employs a “deny-by-default” posture. The safety boundary scans for prompt injections and secret leaks, while the identity system manages mTLS and device pairing.- Crates:
palyra-policy,palyra-safety,palyra-identity,palyra-vaultCargo.toml#14-20
4. Client Interfaces
Users interact with Palyra through a CLI, a web-based console, or a desktop application (Tauri).- CLI:
palyra-cli(binary:palyra) crates/palyra-cli/Cargo.toml#2-13 - Web/Desktop: React-based frontends located in the
apps/directory. package.json#11-15
Code Entity Mapping
The following table maps conceptual system components to their specific implementations in the codebase:| Concept | Code Entity / Crate | Purpose |
|---|---|---|
| Central Hub | palyrad / palyra-daemon | Manages the agent loop and API gateway. |
| Command Line | palyra / palyra-cli | Primary developer and operator interface. |
| Policy Engine | palyra-policy | Cedar-based authorization for tool calls. |
| Secret Storage | palyra-vault | Envelope encryption for provider keys. |
| Browser Control | palyra-browserd | Headless Chromium management via gRPC. |
| Networked Execution | palyra-workerd | Remote execution nodes for distributed tasks. |
Deployment Profiles
Palyra supports multiple deployment modes defined inpalyra-common. These profiles determine the default security posture and connectivity options:
local(orlocal_desktop): Optimized for single-user workstation use.single-vm(orremote_vps): Designed for deployment on a single remote server.worker-enabled: Supports a fleet of networked workers for horizontal scaling.
Child Pages
For detailed technical documentation on specific subsystems, refer to the following pages:- Repository Structure and Crate Map: A deep dive into the monorepo layout, crate dependencies, and the purpose of each directory (apps, crates, schemas, etc.).
- Getting Started: Setup and Configuration: Instructions for developer bootstrapping, using the onboarding wizard, and configuring
palyra.tomlfor different deployment profiles.